Re: The Demise of Simple Assurance?

From: Casey Schaufler (caseyat_private)
Date: Thu Aug 02 2001 - 08:07:08 PDT

  • Next message: Stephen Smalley: "Making forward progress"

    Crispin Cowan wrote:
    > I believe it to be completely infeasible to ever consider moving the kernel
    > security logic into a module.  In-kernel security logic ("DAC" for short :-) is
    > deeply intertwined with lots of other non-security code.  Teasing it apart
    > would be a Herculean task (complete with shoveling loads of crap :-) and is
    > fraught with error.  As a result, the kernel group is highly likely to reject
    > such a proposal.
    Let us not forget our real-time embedded friends,
    who want the null security policy. For them, leaving
    the DAC code as is is clearly the wrong solution,
    as the "capable always returns true" scheme gains
    them nothing, while a DAC module which does no
    checks but always returns success speeds them up.
    We also have the impending NFSv4 crisis, with it's
    bizillon and six unpleasant DAC attributes to deal with,
    and the DAC policy enforcement will not be 100% file
    system specific. If DAC isn't in a security module
    for that, it's gonna get ugly.
    > So no, moving the in-kernel/DAC logic to a module was not what I was proposing,
    > and it is unlikely to ever be considered.  That's not a dictatorial rule, but
    > IMHO, it is practical advice.
    While I understand this position, I cannot condone it.
    How can I change the DAC policy if it's not in the module?
    How can I make Privileged Ports a DAC policy if I want?
    How can I implement Hovan ACLs instead of POSIX ACLs?
    In short, I can't. There is no way I can change the DAC
    policy using LSM if the hooks are not authoritative or
    do not include the DAC enforcement. I'm, as you say,
    back to square one, requesting my own changes be applied
    because LSM wasn't good enough for my evil purposes.
    Casey Schaufler				Manager, Trust Technology, SGI
    caseyat_private				voice: 650.933.1634
    casey_pat_private			Pager: 888.220.0607
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 08:12:14 PDT